EMV 3D secure: dispelling myths

To be able to talk about security standards for electronic commerce transactions, it is necessary to understand to the EMV 3D Secure (Three-Domain Secure) protocol. This protocol has come to play an important role in the e-commerce payment ecosystem, especially in recent years, when digital payments have not only grown exponentially but are expected to grow by more than 20% in the very near future.

We live in a time when fighting fraud is crucial, particularly in a context where electronic commerce keeps gaining fertile ground and fraud opportunities continue to arise.

EMV 3D Secure is an international authentication protocol that helps reduce the risk of fraud in electronic commerce. This EMV3D Secure security solution covers three main areas. What are those three areas? Three entities play leading roles in the payment acceptance piece of the ecosystem: the merchant, the brand or association, and the payment issuer, the payment method is typically a card.

First, the merchant is the place where the transaction occurs requesting the cardholder’s authorization. Then comes the brand or association, which is the entity that validates the card’s presence in the secure payment ecosystem and sends the transaction to the risk assessment entity. Lastly, the third participant —the issuer— has an access control server (ACS), which takes the card, validates the transaction received from the brand, authenticates it, and then proceeds to authorize it.

Using this as context, we will explain and discuss the biggest myths surrounding EMV 3DS solutions so that you can make the most out of the protocol to reduce the risk of e-commerce fraud and improve your customers’ experience.

Main myths about EMV 3DS

Mito #1:
The rate of declines increases

The issuer’s main concern about implementing this protocol, or any type of transaction authentication mechanism, is the belief that the rate of declined transactions will increase, resulting in a loss of confidence in the payment channel, which would then lead cardholders to abandon their shopping carts.

This myth is not entirely unfounded. The initial version of this protocol sought to create a sense of security in the ecosystem, using the strict rules known at the time and imposing physical controls on the plastic. This brought friction where the client needed to sign up and obtain a permanent password in order to be authenticated with the issuer when making online purchases.

This was not an optimal experience for users, who not only abandoned the purchase process but would also ended up needing support to recover their password. It also resulted in an increase in operational costs for issuers who received customer calls throughout the process. Therefore, credit and debit cards ceased to be the main payment methods for cardholders or disappeared completely because clients moved to issuers who were not imposing such strict controls. Losing clients or seeing them use their cards less frequent led to an increase in expenses for the issuer as they attempted to grow their portfolio with new clients; this translated into increased onboarding expenses, creating new accounts and cards, and funding them for use.

At this point, card associations established a partnership (EMVCo) that gave way to the development of the EMV 3DS protocol, implementing a secure authentication ecosystem where the authentication data is reinforced. This includes information about the device used, the sales portal, and the goods acquired. Now, all cardholders eligible to participate are registered in the service, but it is the issuer who decides how, when, and which products can participate in the ecosystem. This helped minimize the first pain point: registration.

Myth #2:
Everyone must authenticate regardless of the type of transaction

Card associations also played a key role at this point: helped by artificial intelligence, they expanded the concept of authentication by applying or removing friction points for the identification of risk elements during the transaction, including payment amount, country of origin, currency of origin, device type, and previous client transactions with the business, among others. Using this information about the cardholder’s behavior, it is possible to determine the probability of a transaction being risky and whether hard friction or non-hard friction should be applied, thus avoiding the need for the cardholder to be authenticated for each transaction.

Myth #3:
EMV 3D Secure affects all transactions

Another widespread belief is that EMV 3D Secure affects all card transactions. EMV 3DS is an authentication protocol that only impacts transactions initiated via e-commerce (card-not-present transactions), where the standards of the authentication protocol —in this case, the payment protocol— must be met. These payments can be made for purchases through web portals, social media merchants, or mobile applications. In any of these scenarios, the cardholder can be authenticated when initiating a transaction with a merchant who employs the protocol to keep the ecosystem secure.

Myth #4:
The implementation of EMV 3D Secure will lead to a drop in sales

One of the biggest myths among merchants underscores the belief that the implementation of the protocol will lead to a notable drop in sales. This issue emerges from the first myth, which focuses on the concern surrounding declined transactions and customers decreasing the amount or simply abandoning their online purchases due to a growing lack of confidence in their transactions. However, the truth is completely different if the protocol is implemented properly. To do this, it is essential to have a business or technological partner that provides the security experience and the elements necessary to develop a consistent authentication strategy.

With Evertec as an ally, you will have access to Scudo, our risk assessment tool for e-commerce, through our digital payment platform, Placetopay, which incorporates the new EMV 3DS protocol. This helps guarantee the success of the authentication strategy, whose correct implementation safeguards authorization rates and provides the merchant a secure alternative.

Myth #5:
The implementation of EMV 3DS is complex

One of the most interesting myths has to do with the difficulty of implementing the protocol, both from the perspective of acquirers and issuers.

From the acquirer’s perspective, merchants tend to think that they will need to incur excessive expenses to integrate the protocol in their online store, that the certification will take a long time, and that it will require a large team to maintain it. However, the industry is offering the protocol as a value-added service. In other words, the protocol is already integrated within the e-commerce transaction process, as is the case of Evertec’s payment solution. When Evertec’s payment Gateway service is purchased in conjunction with PlacetoPay, the transaction authentication security is already integrated, and the merchant can decide, in terms of risk appetite, how thorough the authentication needs to be.

The case is very similar for issuers. Some believe that the main drawbacks to implementing EMV 3DS are concerns over the need to get certified with the different brands and the potential length of the integration process. But this does not have to be the case. Having a service provider like Evertec —which already meets the requirements from EMVCo and the leading card associations — allows issuers to handle the protocol implementation quickly and securely by standardizing their compliance with the different associations.

Myth #6:
The issuer must incorporate different types of security protocols depending on the country where the transaction takes place

Security protocols are being incorporated as part of the legislation of individual countries. Such is the case in the European Union (EU), where PSD2 (Payment Service Providers 2) requirements have been implemented. This legislation affects the electronic payment system in all countries in the EU, and although this protocol includes certain security elements, they are all supported by EMV 3DS. As for how safe transactions are in Europe, Asia, or Latin America, the protocol is already enabled and makes it possible to start acquiring and performing transactions in different countries and/or with different merchant types, no matter where they come from or where the transactions were initiated.

Three Tips: Understand, Measure, Implement

Understanding by educating yourself will always be the best starting point in a constantly changing and evolving ecosystem. You must dig deeper into the subject to really understand the context and all the implications involved in complying or failing to comply with these types of risk assessment measures. Understanding how, at the end of the day, they contribute positively to a much safer payment ecosystem, from the perspective of both the issuer and the acquirer is essential. It is also important to see how businesses are protecting their interests, be they related to operational expenses or to reputation, from the risk of not having a security element like EMV 3DS.

Second, it is fascinating to measure how much the losses are or what is being risked by not having a security protocol to authenticate transactions. From the merchant’s perspective, it is important to start by understanding:

How many transactions are being initiated through an e-commerce channel?
Considering your total sales, how many of those transactions are generating chargebacks?

And even more importantly, how many of those chargebacks are you recuperating? Or are they a real loss since you have to repay the brand for not have the information you need to protect your business revenues?

The issuer is in a similar situation. The organization must understand the following:

At the portfolio level, how many transactions are being conducted that are related to e-commerce?

Of those transactions, how many are generating chargebacks because the customer claims are fraudulent since they claim they did not initiate the transaction?

And the more important questions: How many of these situations could have been avoided? If a feature as important as EMV 3D Secure had been available, how much could have been saved in losses associated with e-commerce fraud?

Lastly, the fear of lost sales should not be a deterrent to the implementation of a security feature that will be a decision-making factor for users. They will feel more confident knowing that they are part of a safer ecosystem, which may result in recurring customers and even an increase in your average sales ticket.

From the issuer’s perspective, the cardholder’s confidence is reinforced when conducting an online transaction knowing they have an additional security factor.

Understanding the context in which we are operating, having accurate information to debunk the beliefs surrounding the implementation of a security protocol, and being able to measure how much a specific myth can represent in term of losses if the protocol is not implemented: all these details will have a positive impact and increase transaction security and the confidence of end users.

Here at Evertec, we have the EMVCo certification for the issuer and acquirer 3DS 2.0 protocols, as well as over two years of experience providing this service and an authentication rate of 94% with minimal exposure to chargebacks. Yes, it is possible to implement a security protocol that reduces the risk in e-commerce transactions and prevents unauthorized use of cards!

Antuam Traverso Ortega –
Product Manager Risk & Fraud Products

Leave a Reply

Your email address will not be published.